Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   semanage is prevented from writing to user_tmp_t file (http://www.linux-archive.org/fedora-selinux-support/638946-semanage-prevented-writing-user_tmp_t-file.html)

"Jeroen van Meeuwen (Kolab Systems)" 02-29-2012 09:32 AM

semanage is prevented from writing to user_tmp_t file
 
Hello,

I have an Enterprise Linux 6 machine, managed by Puppet, enforcing the
target policy, for which Puppet manages a bunch of contexts and
policies, but the following message occurs when it attempts to do so:


type=AVC msg=audit(1330511088.080:1757): avc: denied { write } for
pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file


The following is a reference to what Puppet is trying to do:


http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11 ;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98


In short, I'm installing custom built mailman packages so that I can
have devel@project1 alongside devel@project2 mailing lists by installing
dedicated mailman instances for project1 and project2. The Puppet module
I'm referring to attempts to apply the necessary SELinux contexts to the
files deployed with each RPM package.


I'm wondering what is causing the denial (or, why semanage needs
something in /tmp/ with the name of puppet in it) as well as what to do
about it - it doesn't seem to be blocking Puppet from achieving the goal
of adding new file_contexts for these custom packages.


Kind regards,

Jeroen van Meeuwen

--
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Jeroen van Meeuwen (Kolab Systems)" 02-29-2012 11:06 AM

semanage is prevented from writing to user_tmp_t file
 
On 2012-02-29 14:00, Miroslav Grepl wrote:

On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) wrote:

Hello,

I have an Enterprise Linux 6 machine, managed by Puppet, enforcing
the target policy, for which Puppet manages a bunch of contexts and
policies, but the following message occurs when it attempts to do so:


type=AVC msg=audit(1330511088.080:1757): avc: denied { write }
for pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file


Could you attach full AVC message. I am interested in "syscall" and
"success" fields.

It looks like a leak file descriptor.



I believe this is everything, but if not, please point me in the right
direction:


type=AVC msg=audit(1330454003.144:529): avc: denied { write } for
pid=16025 comm="semanage" path="/tmp/puppet20120228-15545-zg7uoe-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e syscall=59
success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00 a3=7fff5e096620
items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="semanage"
exe="/usr/bin/python"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)


Thanks,



The following is a reference to what Puppet is trying to do:


http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11 ;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98


In short, I'm installing custom built mailman packages so that I can
have devel@project1 alongside devel@project2 mailing lists by
installing dedicated mailman instances for project1 and project2. The
Puppet module I'm referring to attempts to apply the necessary SELinux
contexts to the files deployed with each RPM package.


I'm wondering what is causing the denial (or, why semanage needs
something in /tmp/ with the name of puppet in it) as well as what to
do about it - it doesn't seem to be blocking Puppet from achieving the
goal of adding new file_contexts for these custom packages.


Kind regards,

Jeroen van Meeuwen



Kind regards,

Jeroen van Meeuwen

--
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 02-29-2012 01:00 PM

semanage is prevented from writing to user_tmp_t file
 
On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) wrote:

Hello,

I have an Enterprise Linux 6 machine, managed by Puppet, enforcing the
target policy, for which Puppet manages a bunch of contexts and
policies, but the following message occurs when it attempts to do so:


type=AVC msg=audit(1330511088.080:1757): avc: denied { write }
for pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
Could you attach full AVC message. I am interested in "syscall" and
"success" fields.


It looks like a leak file descriptor.



The following is a reference to what Puppet is trying to do:


http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11 ;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98


In short, I'm installing custom built mailman packages so that I can
have devel@project1 alongside devel@project2 mailing lists by
installing dedicated mailman instances for project1 and project2. The
Puppet module I'm referring to attempts to apply the necessary SELinux
contexts to the files deployed with each RPM package.


I'm wondering what is causing the denial (or, why semanage needs
something in /tmp/ with the name of puppet in it) as well as what to
do about it - it doesn't seem to be blocking Puppet from achieving the
goal of adding new file_contexts for these custom packages.


Kind regards,

Jeroen van Meeuwen



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 02-29-2012 02:34 PM

semanage is prevented from writing to user_tmp_t file
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/29/2012 07:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
> On 2012-02-29 14:00, Miroslav Grepl wrote:
>> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems)
>> wrote:
>>> Hello,
>>>
>>> I have an Enterprise Linux 6 machine, managed by Puppet,
>>> enforcing the target policy, for which Puppet manages a bunch
>>> of contexts and policies, but the following message occurs when
>>> it attempts to do so:
>>>
>>> type=AVC msg=audit(1330511088.080:1757): avc: denied { write
>>> } for pid=9222 comm="semanage"
>>> path="/tmp/puppet20120229-8297-bjmcbp-0" dev=dm-0 ino=1572875
>>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>>
>> Could you attach full AVC message. I am interested in "syscall"
>> and "success" fields.
>>
>> It looks like a leak file descriptor.
>>
>
> I believe this is everything, but if not, please point me in the
> right direction:
>
> type=AVC msg=audit(1330454003.144:529): avc: denied { write } for
> pid=16025 comm="semanage"
> path="/tmp/puppet20120228-15545-zg7uoe-0" dev=dm-0 ino=1572875
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e
> syscall=59 success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00
> a3=7fff5e096620 items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2
> comm="semanage" exe="/usr/bin/python"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> key=(null)
>
> Thanks,
>
>>>
>>> The following is a reference to what Puppet is trying to do:
>>>
>>>
>>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11 ;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>>
>>>
>>>
>>>
In short, I'm installing custom built mailman packages so that I can
>>> have devel@project1 alongside devel@project2 mailing lists by
>>> installing dedicated mailman instances for project1 and
>>> project2. The Puppet module I'm referring to attempts to apply
>>> the necessary SELinux contexts to the files deployed with each
>>> RPM package.
>>>
>>> I'm wondering what is causing the denial (or, why semanage
>>> needs something in /tmp/ with the name of puppet in it) as well
>>> as what to do about it - it doesn't seem to be blocking Puppet
>>> from achieving the goal of adding new file_contexts for these
>>> custom packages.
>>>
>>> Kind regards,
>>>
>>> Jeroen van Meeuwen
>>>
>
> Kind regards,
>
> Jeroen van Meeuwen
>


Puppet is creating a log file in /tmp that it is then handing to
semanage as its stdout. SELinux is blocking the tools ability to
write to stdout and SELinux is just replaceing the /tmp file with
/dev/null. So semanage is succeeding but an ugly AVC is created.

Miroslav we probably should go through policy and allow domains to
write to inherited user_tmp_t files. Which would solve the puppet
problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9ORZwACgkQrlYvE4MpobPPXACfXWSLKsmYS7 HLYpo3bVj8teTs
ibEAoMfUtlZNYSSMOHa8g33G7BSL3TGE
=LKgB
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 02-29-2012 02:39 PM

semanage is prevented from writing to user_tmp_t file
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/29/2012 10:34 AM, Daniel J Walsh wrote:
> On 02/29/2012 07:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
>> On 2012-02-29 14:00, Miroslav Grepl wrote:
>>> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems)
>>> wrote:
>>>> Hello,
>>>>
>>>> I have an Enterprise Linux 6 machine, managed by Puppet,
>>>> enforcing the target policy, for which Puppet manages a
>>>> bunch of contexts and policies, but the following message
>>>> occurs when it attempts to do so:
>>>>
>>>> type=AVC msg=audit(1330511088.080:1757): avc: denied {
>>>> write } for pid=9222 comm="semanage"
>>>> path="/tmp/puppet20120229-8297-bjmcbp-0" dev=dm-0 ino=1572875
>>>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>>>
>>> Could you attach full AVC message. I am interested in
>>> "syscall" and "success" fields.
>>>
>>> It looks like a leak file descriptor.
>>>
>
>> I believe this is everything, but if not, please point me in the
>> right direction:
>
>> type=AVC msg=audit(1330454003.144:529): avc: denied { write }
>> for pid=16025 comm="semanage"
>> path="/tmp/puppet20120228-15545-zg7uoe-0" dev=dm-0 ino=1572875
>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>> type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e
>> syscall=59 success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00
>> a3=7fff5e096620 items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2
>> comm="semanage" exe="/usr/bin/python"
>> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>> key=(null)
>
>> Thanks,
>
>>>>
>>>> The following is a reference to what Puppet is trying to do:
>>>>
>>>>
>>>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11 ;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>>>
>>>>
>>>>
>>>>
>
>>>>
In short, I'm installing custom built mailman packages so that I can
>>>> have devel@project1 alongside devel@project2 mailing lists by
>>>> installing dedicated mailman instances for project1 and
>>>> project2. The Puppet module I'm referring to attempts to
>>>> apply the necessary SELinux contexts to the files deployed
>>>> with each RPM package.
>>>>
>>>> I'm wondering what is causing the denial (or, why semanage
>>>> needs something in /tmp/ with the name of puppet in it) as
>>>> well as what to do about it - it doesn't seem to be blocking
>>>> Puppet from achieving the goal of adding new file_contexts
>>>> for these custom packages.
>>>>
>>>> Kind regards,
>>>>
>>>> Jeroen van Meeuwen
>>>>
>
>> Kind regards,
>
>> Jeroen van Meeuwen
>
>
>
> Puppet is creating a log file in /tmp that it is then handing to
> semanage as its stdout. SELinux is blocking the tools ability to
> write to stdout and SELinux is just replaceing the /tmp file with
> /dev/null. So semanage is succeeding but an ugly AVC is created.
>
> Miroslav we probably should go through policy and allow domains to
> write to inherited user_tmp_t files. Which would solve the puppet
> problem. -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

It would also be nice if puppet opened the file for append rather then
write.

sesearch -A -s semanage_t -t user_tmp_t -p append -c file
Found 1 semantic av rules:
allow application_domain_type user_tmp_t : file { getattr append } ;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9ORrMACgkQrlYvE4MpobOidgCfaMyZ2JUF4B 43F6X5we8JXjk1
0cUAoI9hL1ZWi6IEPTIYbBd7dZKQ+Ja9
=bL2Q
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 02-29-2012 02:42 PM

semanage is prevented from writing to user_tmp_t file
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



https://bugzilla.redhat.com/show_bug.cgi?id=798694
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9OR0sACgkQrlYvE4MpobMb0ACfU8e64mpIvM 6js/6RG07xht3S
gykAoOEYnmz/fmU+s0WiQMLBk3nodaaq
=/sSl
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.